Corporate arse-covering in 5 ... 4 ... 3 ...
Believe 'em? Neither do I ...
TalkTalk confirmed on Saturday afternoon that incomplete bank details were lifted by crims, even though its core systems were not targeted in the attack on its business earlier this week. The budget telco said that its website had been plundered by malefactors. However, TalkTalk claimed that complete credit card details of …
The real kicker is, they still are not sure what has or has not been taken, they are headless chickens running around with absolutely no idea!
Oh, wonder how David Cameron is doing with his thinking on banning strong encryption, sorry, can't type, pissing myself laughing :-)
How is it reassuring that a child using talk talk couldn't get all the data he wanted.
Of course it is true. He probably had shed loads, all pilfered as e-mail but they lost his emails like they lost all mine. Talk Talk's security was probably based on Julian Assanges used condoms.
Do they think people are?
The last 4 digits are a standard security question when trying to access other accounts and services, and combine that with the personal contact info and identity theft is a no brainer.
And the bigger question is wtf is the card data doing in the same place as the other website data? It should be held in separate databases and secured separately as well but I guess its a lot easier to stick it all in one database!
If only TalkTalk put as much effort into security as they have put into polishing the current turd this would not have happened.
The only reason I can see for storing their customers' bank account data but without the full bank account number is for the purpose of support. It might be that the hackers actually got access to a TalkTalk helpdesk system. As you say, the helpdesk often only has access to the last four digits for ID purposes.
The billing systems (which would contain the full details) are likely not compromised.
That would suggest that the hackers probably have contact details and the last four digits but indeed not enough to commit fraudulent transactions on those accounts. Judging from a few cases of people who are missing money that I heard on the radio it seems that the hackers took the details and started calling the victims. They received a phone call informing them about the hack, probably from the hackers identifying as TalkTalk. If you have contact details and the last four digits it should be relatively easy to convince people to hand over any missing details.
Can't recall ever being asked last 4 digits of card number as a security question ... at most its displayed on sites to show what card you have registered - ie enough data for you to know which card is being used but not enough for anyone else to use. I'd assume this is what was kept on the customer facing part of the the payment system. Given that the last 4 digits of card used are also routinely printed on receipts then its not exactly difficult to find so I'd be astonished if anyone considered this to be "secure" information.
I don't tkink you've got it quite right.
As I read that a**e covering drivel it seems that their "core systems" were not targeted. Apparently customers' details weren't stored on the "core systems", but on "the site" - I presume that means the website.
So - anyone having a dig around the website ......
I wonder what's on their "core systems"?? Cookery recipies? Pr0n stash?
I could be wrong of course.
There are already public complaints about bank accounts being syphoned. That suggests that those punters paid by debit card. Note that they only talk about cc info. Either they were storing all the debit card info but not the cc info - unlikely - and keeping quiet about that or a headless chicken is telling porkies.
In any case - if they haven't got the full cc info themselves it's no good to them, so why store it? Perhaps they mean " encypted" - for some new IOT definition of encrypted.
I think I'll start a kickstarter project to develop the world's largest, nastiest rubber hose. There's probably enough irate customers out there only too kean to weild it.
By the sounds of things the crims basically got EVERYTHING.
I think the better question for this attack would be "What did the crackers NOT get?".
Who's willing to bet this attack was helped by some admin who thought it'd be okay to not update that machine as no one would be likely to exploit that security bug as they thought it was too obscure to be exploited?
Irrespective of whether card details have been taken there is undoubtedly enough information to facilitate identity theft on a large scale. The Mat Honan story should have been a wake up call to the industry yet such hacks still occur. Isn't it the case that the CIA director's email account was compromised by the young hacker getting a password reset through a support call?
In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
I don't understand. Am I not supposed to get asked "security questions" and at amazon I have even labeled them "security question #1", "security question #2", "security question #3"...
They can't hide the fact that they were hacked and lost a lot of data over hours, possibly days.
They have a duty of care for our data. End Of.
They failed that and the ICO + the Rozzers should be all over them.
The Class Action suit might even be enough to put them out of business.
They will haemorage customers even if the give a year's free everything to those affected.
The future is bleak for T-T. I would not want to be a T-T shareholder for all the tea-tea in China.
sorry for the rant but their actions just make me Mad.
As a TalkTalk customer, I'm relieved to read that my password wasn't nicked. Baroness Harding and her chums have been telling me for the past couple of days to change my password but, since the relevant part of their website is "unavailable right now", it can't be done.
Incidentally, I'm not really a TalkTalk customer.
I was a Pipex customer.
Pipex me sold to Tiscali.
Tiscali sold me to TalkTalk.
So I'm a commodity.
I just switched my parents to PlusNet today. The cashback (I did it via Quidco) covers the overlap between the contracts - they had a month to the end of their contract.
I mentioned this latest breach as one of the reasons. They sounded ready to make all sorts of offers to keep the business. The one reason I didn't mention to them was that I wanted to support a UK-based business - it seemed a little too ranty to mention it to the overseas call centre operative.
That's why for anyone that doesn't have a proper legal need for it, like an ISP, I always give them a second DOB I've committed to memory.
Banks and the like, who have 2FA, can have my real DOB. An online retailer who can't really demonstrate a need to have my DOB (other than it being a shared secret between us) can have a made up one.
I a couple of years ago I was in the queue for the bank and I overheard a distraught customer revealing how she had be scammed into giving the rest of her bank account details. A scammer called her up and for security reasons they gave her the (standard) prefix of her card number and got her to reveal the rest to confirm her identity,
With this data a scammer could easily modify it by giving the first and last digits and getting the customer to reveal the middle digits. As the first 4 digits are card and bank specific they can easily cycle through the card numbers pretending to be the relevant bank that the card is attached to.
(Public Service Announcement)
It won't be popular with some companies with bad practices but tough.
"Never, ever, give an agent any details on the phone when they have called you. You don't know who they are unless you are the one making the call to a number whose provenance you trust"
* it might be best to call that number from another phone - you cannot be sure the dial tone you hear is not being played to you by an attacker who has not actually hung up
""Never, ever, give an agent any details on the phone when they have called you. You don't know who they are unless you are the one making the call to a number whose provenance you trust""
I got called up recently by someone claiming to be from a well known pension firm wanting to carry out a "survey of my financial providers" and asking to confirm my name.
I explained to him that I couldn't speak to him until he identified himself to me. He started to argue and I told him I had been warned by [same well known pension firm] that there were a lot of fraudsters trying to get people's financial details, and it was his job to prove who he was. Hangup...
They must think we're stupid, I thought...and then I thought, well, how many people do actually understand that it is a random caller's job to prove who they are?
"They must think we're stupid, I thought...and then I thought, well, how many people do actually understand that it is a random caller's job to prove who they are?"
The banks, building societies and insurance companies certainly don't. Neither do they think it essential that they prove their emails are from them. I've had emails from digital marketing companies working on their behalf where the client's domain is in the From: field but a quick glance at the headers shows that it never came from them and any links don't come from them either. When the clients are taken to task over this they show no indication that they realise the result looks just like a phishing scam and that they're training their customers to be scammed.
"In which case dial 1471 or a friend's no. first to make sure the line has disconnected." -- Captain Badmouth
Not sure it's beyond the ability of a clever crim to fake the voice-synthesized response to 1471 -- I'd stick to calling a person whose voice (or whose response, e.g. "4As Taxis") you will recognise. Better still, use a mobile which cannot still be connected to the previous call.
I'm not sure why the calling party must hang up to disconnect the call on a landline, can this be fixed?
Can we start a campaign to make it illegal for outbound calling agents to ask security questions, and restrict them to giving names and/or reference numbers and a request to call back?
Not sure it's beyond the ability of a clever crim to fake the voice-synthesized response to 1471
No need - they just intercept the DTMF tones and dial out anything that isn't interesting. Dial 1471 and you get the real 1471. Dial your bank, and you get a scammer...
I wonder if any of the people who complained about having bank accounts emptied had accounts with Lloyds. It appears the information they had was enough to open account there, and the recently closed security hole at Lloyds meant that they could have accessed other Lloyds accounts held by the victim.
On a couple of occasions I have been phoned up by my credit card company and they have started by asking me to confirm MY identity. It always throws a spanner in their works when I respond -
"Hold on, YOU have phoned ME, therefore you know who I am. Now, how do we go about confirming who YOU are ?"
After a pause for thought, sometimes a long pause, the usual reply is "My name is ****, phone the number on your card and ask for me." And that is fair enough.
I've had this too, but they have a problem that they don't know for sure that the person that has answered their call is the person they are looking for and they are regulatory bound to have to identify the person on the phone.
But I have the same conversation with them and I always end up having to call back.
The other stupid one is when I call for some business on an account that is in my wife's name. They won't speak to me until they've spoken to my wife to verify it's OK first, but the only ID they are interested in is a female voice.
So why is this such a bit issue, besides the large scale social engineering attack vector opportunity. Read opportunity. But even that is information that is on the electoral role, albeit now linked to a possible identification of which bank.
I mean your cheques include you bank details? It is normal for corporate letter head to include full address, bank details including international notation. None of this is actually secret information.
The last 4 digits of a credit card transaction are on every receipt from a pdq machine...
Sure it is bad, it highlights in appropriate measures, there is a huge scamming possibility, but without that no bank accounts or credit cards will be emptied....
I used to be a Tiscali customer, and was swept up in the takeover.
I quit Talk Talk a couple of years ago.
Earlier today I came across an old bookmark to a file I had uploaded on the customer-website. It still worked. Nothing critical, but sadly out-of-date now.
So they don't seem to be handling data very well. I was paying so much a month for all their services. I stopped paying them. They're still providing some of those services.
(Those business directory websites have a lot of defunct entries too. They scooped up names and addresses from somewhere, plastered the pages with adverts, and have never bothered to update. I know of several such businesses in one small town: gone but not forgotten.)
"I used to be a Tiscali customer, and was swept up in the takeover."
I used to be a Nildram customer. Nildram was taken over by Pipex which was taken over by Tiscali but the email address remained Nildram. After the TalkTalk takeover I also bailed out. As a matter of curiosity I just tried a test post to my old Nildram address. It bounced but a quick whois indicates the domain expired yesterday. Deliberate, coincidence or have they just been too distracted to renew it?
No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.
I read this as meaning they got my sort code and account number? Weasel words...very much not good news.
The entire way we process payments is going to have to change.
This notion that you can just give someone a 16 digit card number, exp date and a 3 digit code with some optional add on security is basically creating a giant honey pot for thieves.
The whole concept needs to move to something totally different.
One off transactions should be pushed - unique payment token sent to thr retailer. There's no need to have credit card info.
Direct Debits should be setup using a unique code too.
Banks could generate an "application specific code much like Gmail does with 2 factor security enabled. This could be done by online banking portals or for the less tech savvy just give them 30 unique codes on a card for setting up direct debit / automatic payments.
Also your bank account should have an "Inward only" number to allow payments in only and then a confidential account number for your use only for actually accessing it.
There's no reason why all these highly sensitive bank details should be exposed.
People already struggle with PIN numbers and passwords, having them remember more numbers is not going to be popular.
The card provider verification systems are good like pin sentry etc where you put your card into the reader type your pin choose an option and type in a code from the website and enter on the website the generated code. That could generate your token used instead of your card number.
This post has been deleted by its author
for those who want to leave.
Shame on them. I fully expect a deluge of cases for breach of contract to hit the small claims court for .... the same amount as the fee they levy.
T-T really are the pits.
I really hope that other ISP's learn from this and sharpen up their acts and pray that it as'nt an inside job all along
the biggest problem i see is the thousands of people tht left talktalk or cancelled the order before installation a you have to enter bank details and also pay for delivery etc. wht will happen to these people because i am totally sure they have never purged old customer data from any database especially the tiscali ones.
They have not yet confirmed if passwords were also stolen ... I would hope they are salted and hashed .. but I suspect they may not be. When you initially sign up for their services (over the phone, not web) they will ask you for a password. You can then use that to log in to their website. Unfortunately they do seem to be able to ask you for your password when you call in for support ... which might mean they are typing it in and checking it matches .. or might mean its displayed on their screen .. and held in the clear.
If they have held passwords in plain text, they need punishing, financially.
Technically you only need to encrypt the 6 digits in the middle of the card number which is pretty ridiculous seeing you could derive the encrypted part by generating numbers in between that pass a LUN check, the postcode (truncated to digits only), numeric part of the address and CV2 all matching will get you a successful auth 99 times out of 100
As a PSP/online store you are not ever allowed to store CV2 only use it for time of submission to the bank. Mastercard/Visa both have additional ability to protect transaction with 3DSecure but this is not generally mandatory to perform a credit card transaction.
Having personally worked at a PCI DSS level 1 PSP for over 5 years and having seen how this stuff works in the backend is somewhat amazing what actually gets transferred. For example all Credit Card numbers for settlement files are plaintext uploaded via PSTN to a banks FTP site authenticated only with username/password and in some cases the file remains there, god knows what the banks actually do to protect this but it is common knowledge in PSP that this type of data is unencrypted in Auth files as well as on many private MPLS networks that BT manage.
Biting the hand that feeds IT © 1998–2021